Ask a Question Register Login

php - str_replace / addslashes() / htmlspecialchars() .... for quote and double quote

477

I have a problem.

If I complete my form with " or ' in my form the program bug

I want replace " and ' by code like ' " ' " or addslash or whatever...

Help me please

My code : 

if (isset($_POST['key'])){
        mysql_select_db($database_dbprotect, $dbprotect);
        $key = mysql_real_escape_string($_POST['key']);
       $verif_query = sprintf("SELECT * FROM $bloc_news_entreprise WHERE $bloc_news_entreprise.key='$key'");
        $verif = mysql_query($verif_query, $dbprotect) or die(mysql_error());
        $row_verif = mysql_fetch_assoc($verif);
        $utilisateur = mysql_num_rows($verif);
    if ($utilisateur) {
         echo '<span>Cette key existe déjà</span>';}
    else {
            $key = $_POST['key'];
            $tpl = $_POST['tpl'];
            $urlA = $_POST['urlA'];
            $urlB = $_POST['urlB'];
            $urlC = $_POST['urlC'];
            $urlD = $_POST['urlD'];
            $descriptif = $_POST['descriptif'];
            $bigTitre = $_POST['bigTitre'];
            $titreA = $_POST['titreA'];
            $titreB = $_POST['titreB'];
            $titreC = $_POST['titreC'];
            $titreD = $_POST['titreD'];
                $add_bloc = sprintf("INSERT INTO $bloc_news_entreprise ($bloc_news_entreprise.key, tpl, urlA, urlB, urlC, urlD, descriptif, bigTitre, titreA, titreB, titreC, titreD) VALUES ('$key', '$tpl', '$urlA','$urlB','$urlC','$urlD', '$descriptif', '$bigTitre', '$titreA', '$titreB', '$titreC', '$titreD')");
                mysql_select_db($database_dbprotect, $dbprotect);
                $result = mysql_query($add_bloc, $dbprotect) or die ("Impossible d'ajouter les données utilisateur dans la base de donn&eacute;e");
                header("Location:config-bloc.php?addbloc=ok"); 
                exit;
                }
        }
151

Answer

Solution:

You can convert tohtmlentities before passing to database insert query as follows:

htmlentities($_POST['key'], ENT_QUOTES);         // ENT_QUOTES will convert single and double inverted commas to &#039 etc.

When you will execute select query, convert data fetched back to single/double inverted commas by using following:

html_entity_decode($varReturnedBySelectQuery);  // $varReturnedBySelectQuery is for example returned by select query
791

Answer

Solution:

First of all mysql function are deprecated you should use pdo_mysql. Then for quote you can use htmlspecialchars or htmlentities or addslashes but don't forget to use the reverse function when you read it.

People are also looking for solutions to the problem: html - Wordpress Footer not displaying even after footer.php file is run

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.